Enable Office 365 Built-In MDM (Mobile Device Management)

Do you have company-owned mobile devices or employee-owned mobile devices that receive email? Of course, you do everyone does. Do you have a Mobile Device Management solution that you’re paying lots for but only using little of? Have you got or are you looking at getting Office 365? If the answer to any of these questions is yes then you need to be aware of Mobile Device Management in Office 365 which Microsoft announced on March 30 on the Office Blog. In this post, I’m going take you through enabling MDM management of a device but first, why is MDM in Office 365 important?

Why is MDM in Office 365 important?

The Exchange Active Sync (EAS) protocol has had some mobile device management like capabilities for some time, but as mobile devices and their use has evolved EAS hasn't been the go-to management solution beyond email. OS manufacturers have invested in Mobile Device Management protocols and deeply instrumented those in their OS allowing MDM to apply policies far beyond email.

I'll give you a prime example of that evolution: The BYOD movement has led to people using their personal devices for work. It's not clear, legally, everywhere, how much control over such a device an employer has and it can vary dramatically even in one country. As a result wiping everything on a device that is personally owned could be worrisome to an employer.

With AES, it's only been possible to fully wipe a device. One of the capabilities that Office 365 built-in MDM brings is the ability to selectively wipe business data from the device. This is huge because if remote-wipe is your only need, Office 365's built-in MDM has you covered. More of you need to specify basic device policies (that still go beyond AES) to control device capabilities, such as encryption, password requirements, app (age) restrictions and the like. A full list of the policies enabled through Office 365 MDM is on TechNet.

Conditional Access to Office 365 is also available through the built-in MDM. If you aren't familiar with the principle of Conditional Access yet, it asks a simple question: Does the device meet the minimum bar for entry. You define the minimum bar. So you can set a policy that says that a device must be managed by Office 365, so you can wipe it, for example, before its allowed access to critical information. Frankly it's ground-breaking that this ability is in an MDM offering that costs nothing extra.

With all that in mind, what's the answer to the question: Why is MDM in Office 365 important? The Answer: It gives you another, better, option for management.

For some customers, it might be the only MDM they need. Indeed I surveyed my Twitter followers and I found out something interesting (I do this regularly, you should follow me to participate and be heard). 14% of respondents to one poll were paying for MDM (which is probably about $100 per user or $51 per device per year* they could cut this from their expenditure immediately…that would probably make the boss happy!)

How about if you still need MDM for some users that need capabilities beyond what's built into Office 365 such as Mobile Application Management or Company Resource provisioning?

There are people or groups of devices that need capabilities beyond what's available built into Office 365 MDM and that is fine. Just license them for Microsoft Intune and the on-ramp is simple. Users with a Microsoft Intune license are managed through Microsoft Intune, users without are managed through Office 365 MDM! With Microsoft Intune, you get capabilities such as being able to automatically provision company resources (certificates, VPN, WiFi) and being able to distribute and manage apps.

Ok, looks useful, let's try this…

That's the why over with and hopefully you want to start taking a look. Let's take a look through my Office 365 tenant and see what we need to do to get setup.

Enable Office 365 MDM

First we go to the Mobile Devices option in the Office 365 Admin portal and click Get Started to start the activation process, this will take some time to complete. If you're using a custom domain (such as contoso.com and not .onmicrosoft.com )to set up Office 365 as a mobile device management authority you will need to set up the correct DNS settings and exchange a certificate request from Office 365 for a certificate from Apple to work with the Apple Push Notification Network (APN) to support iOS. You'll need to add the following two DNS entries if you're using a custom DNS:

Hostname

Record type

Address

TTL

EnterpriseEnrollment

CNAME

EnterpriseEnrollment.manage.microsoft.com

3600

EnterpriseRegistration

CNAME

EnterpriseRegistration.windows.net

3600

REALLY neat feature. These are the same DNS entries you need to add if you're using Microsoft Intune for MDM, which is why moving some or all users to Intune from Office 365 MDM in the future might be possible.

REALLY neat feature. These are the same DNS entries you need to add if you're using Microsoft Intune for MDM!

Optionally you can enable Multi-Factor Authentication (MFA) meaning that to enroll their device into Office 365 MDM management they need to give a second factor of authentication, such as receive a phone call or text from the Azure MFA service. Configuring this only requires MFA for device registration from that point forward, because the device is now trusted, it's a second factor of authentication.

Create A Device Security Policy

Now that your Office 365 tenant is enabled for MDM we need to enable some policy. So click the Manage device security policies and access rules link. You'll be taken to Compliance Center where you'll click the Manage device access settings link.

In Organization-wide settings for device access management, you can choose to allow devices that don't support MDM management to enroll or choose to block them. If you choose block then a device must be MDM capable to add an Office 365 email profile. You might want to do this for your regular users but have some users that you this rule doesn't apply to (such as your C-level people).

Finally, let's create our policy and target it to some users. Click the New icon (the plus sign). Enter a policy name, and click Next. Make some policy settings: I like to set a password policy for testing purposes. The last section of the Device Security Policy determines what to do if a device is non-complaint, this is Conditional Access!

Conditional Access

Conditional Access, as previously stated, prevents a non-compliant device from accessing resources. If you select Block access and report violation what happens is that if any of the above policy settings aren't set on the device (or the device has refused the setting) access to Office 365 Email, SharePoint and OneDrive for Business will be blocked from this device. If you select Allow access and report violation then the violation will just be audited (which you can see in either case in Compliance Center).

This is simply a cool feature: It means you can definitely stop email flow to a device that isn't enrolled, or a device that's jailbroken or rooted, or a device that simply isn't encrypted.

In the case of email, all the user will get in their inbox, until they are compliant, is a single email telling them how to get compliant, and nothing more!

Click Next to set the policy.

Something Extra Really Cool

One other thing. If you tick the box that says Require managing email profile then what you're saying is that if the user added their own email profile that is not good enough for them to access resources. The reason it's not good enough is that you DO NOT have the right to wipe a non-managed email profile on iOS or Android and, therefore, you don't have control over your organization's email data.

Ticking Require managing email profile does something really cool. The user is prompted to remove the organizational email profile they added and, once that's done, Office 365 will provision the email profile to the user's device, making it managed!

And that [Email Provisioning] takes is just one check box!

Finally, Deploy the Policy

The very last thing you'll do is deploy the policy. Just search for a security group that you want to deploy the policy to, select the group, click Add and Ok. Then you can go to a test device and try out the policy, add an organizational email account manually on the device and (if you selected the Block option for conditional access) you'll receive an email telling you to enroll your device by getting the Company Portal app from the store.

Perhaps you'd like to see this in action

Corporate Vice President, Enterprise Client and Mobility at Microsoft, Brad Anderson and I took a look at this on the latest episode of the Endpoint Zone with Brad Anderson which you can watch below:

This is cool, I want to try it out how do I do that?

Firstly, if you have Office 365 you should check to see if MDM is available in your Admin portal yet. If it is you'll see it just like in the first step above. If it's not it's coming, Office 365 MDM is rolling out now, but it'll take us a few more weeks to complete every Office 365 tenant (there are so many!)

If you don't yet have Office 365 you can get a free trial, although the functionality might not be available there yet, but it should be before the trial expires.

Related

Simon May is an Infrastructure Technology Evangelist at Microsoft concentrating on Devices and Services but with special interests in deployment and device management. Simon is a professional public speaker and the author of several books on Windows. Opinions on this blog are his own.

15 Comments

We are a Microsoft Partner and have enabled the Intune license that came with the Partner Program. That license is only for 5 users but it now prevents me from using the Office 365 MDF features. Any thoughts? It looks like it’s Office 365 MDM or Intune, but not both. I have not looked but I didn’t think Intune would let me manage basic MDM features without a license?

I’m a bit confused. You say it’s an either or situation but the article talks enabling some devices with an Intune license if the additional features are required and managing others in O365 if they don’t.

Office 365 MDM and Microsoft Intune can now coexist (just raise a support case and ask for it to be done). In short Office 365 MDM will provide features like, business only data wipe, while Intune will go beyond this and allow you to do app deliver and protection. Some people in your company might not need the richer features of Intune.

Well, I did end up opening a case and they informed me I would have to open a separate case to request the switch to Intune but that I would have to retire/wipe ALL devices and then “move” them to Intune. This sounds nuts and I’m not going to do that to my users. This was from the 3rd level of support my case escalated to and from an MS person who “knows a lot about Intune”.

Just a warning that MDM does not support the OneDrive app for Windows Phone. You are able to add an Office 365 OneDrive for Business account, but if you enable MDM, you get an error. iOS and Android are support. Go figure!